diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/secrets/default.nix | 92 | ||||
| -rw-r--r-- | lib/secrets/metadata.toml | 5 |
2 files changed, 97 insertions, 0 deletions
diff --git a/lib/secrets/default.nix b/lib/secrets/default.nix new file mode 100644 index 0000000..401d4a5 --- /dev/null +++ b/lib/secrets/default.nix @@ -0,0 +1,92 @@ +{ pkgs, config, lib, ... }: + +with lib; + +let + cfg = config.my.secrets; + + secret = types.submodule { + options = { + source = mkOption { + type = types.path; + description = "local secret path"; + }; + + dest = mkOption { + type = types.str; + description = "where to write the decrypted secret to"; + }; + + owner = mkOption { + default = "root"; + type = types.str; + description = "who should own the secret"; + }; + + group = mkOption { + default = "root"; + type = types.str; + description = "what group should own the secret"; + }; + + permissions = mkOption { + default = "0400"; + type = types.str; + description = "Permissions expressed as octal."; + }; + }; + }; + + metadata = lib.importTOML ./metadata.toml; + + mkSecretOnDisk = name: + { source, ... }: + pkgs.stdenv.mkDerivation { + name = "${name}-secret"; + phases = "installPhase"; + buildInputs = [ pkgs.rage ]; + installPhase = + let + key = metadata.hosts."${config.networking.hostName}".sshPubKey; + in + '' + rage -a -r '${key}' -o "$out" '${source}' + ''; + }; + + mkService = name: + { source, dest, owner, group, permissions, ... }: { + description = "decrypt secret for ${name}"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.Type = "oneshot"; + + script = with pkgs; '' + rm -rf ${dest} + "${rage}"/bin/rage -d -i /etc/ssh/ssh_host_ed25519_key -o '${dest}' '${ + mkSecretOnDisk name { inherit source; } + }' + + chown '${owner}':'${group}' '${dest}' + chmod '${permissions}' '${dest}' + ''; + }; +in +{ + options.my.secrets = mkOption { + type = types.attrsOf secret; + description = "secret configuration"; + default = { }; + }; + + config.systemd.services = + let + units = mapAttrs' + (name: info: { + name = "${name}-key"; + value = (mkService name info); + }) + cfg; + in + units; +} diff --git a/lib/secrets/metadata.toml b/lib/secrets/metadata.toml new file mode 100644 index 0000000..a956c31 --- /dev/null +++ b/lib/secrets/metadata.toml @@ -0,0 +1,5 @@ +# This file specifies metadata for each host. + +[hosts.ahmed] +ipAddress = "192.168.68.126" +sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3/DjOuKMN18fs/0ZHI3kKLHGytXOFEDBbx+09ZrS3G" |